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1. (Currently Amended) A method for automatically creating a record for one or 
more computer security incidents and reactions thereto, comprising the steps of: 

recording computer security incident information with at least one of a 
date and time stamp, the computer se curity incident information indicating one of 
suspicious computer activity that occ u rs prior to a computer security threat and an actual 
computer security threat : 

providing data to enable display of a procedure comprising o ne or more 
steps for one of investigating an d responding to the computer security incident 
information: 

receiving a selection of one or more steps of a procedure; 

executing the selected one or more steps of the procedure; 

in response to executing the one or more steps of the selected procedure, 
recording executed procedure information and results of the executed one or more step s 
ofthe procedure with at least one of a date and time stamp; and 

outputting a record comprising the computer security incident information, 
executed procedure information, results of one or more steps of the executed 
procodiiroor jroeedure, an identity of a user who selected the procedure, and at least one of 
a corresponding date stamp and time stamp. 

2. (Original) The method of Claim 1, wherein the record comprises an 
unrnodifiable, permanent database. 

3. (Original) The method of Claim 1, further comprising the step of recording, 
the results of the executed procedure with a digital signature to enable detection of any 
modification of the recorded results, whereby integrity of the recorded results can be 
monitored. 



4. (Original) The method of Claim 1, further comprising the step of extracting 
information from the results of an executed procedure. 
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5. (Currently Amended) The method of Claim 4, further comprising the step of 
describing a computer security incident with said extraction information. 

6. (Currently Amended) The method of Claim 1, further comprising the step of 
displaying information for a particular computer security incident to more than one user. 

7. (Original) The method of Claim 1, further comprising the step of 
prepopulating fields of a record of a first program module from a second program 
module. 



8. (Currently Amended) The method of Claim 1, further comprising the steps of 
receiving co mputer security incident information from a first program 

module; 

processing the computer security incident information with a second 
program module; and 

forwarding the processed computer security incident information from the 
second program module to a third program module. 

9; (Original) The method of Claim 1, wherein the step of receiving a selection of 
a procedure comprises automatically selecting a procedure with a program module. 

10. (Currently Amended) The method of Claim 1, further comprises the step of 
suggesting a procedure with a program module based upon the type of computer security 
incident. 

11. (Original) The method of Claim 1, wherein each step is performed 
automatically by a program module. 

12. (Original) The method of Claim 1, wherein some of the steps are performed 
automatically by a program module. 
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13. (Original) The method of Claim 1, further comprising the step of displaying 
reports comprising one or more computer security incidents. 

14. (Original) The method of Claim 1, wherein the results of an executed 
procedure comprise at least one of text, numbers, images, or formatted documents. 

15. (Currently Amended) The method of Claim 1 , further comprising the step of 
predicting future actions of a source of a computer security incident 

16. (Currently Amended) The method of Claim 1, further comprising the step of 
identifying the source of a computer security incident. 

17. (Currently Amended) The method of Claim 1, further comprising the step of 
sorting decoy or false computer security incidents from actual computer security 
incidents. 

1 8. (Original) The method of Claim 1, further comprising the step linking a first 
procedure to a second procedure. 

19. (Original) The method of Claim 1, further comprising the step of 
determining the authorization level of a user, 

20. (Original) The method of Claim 1, wherein the step providing data to enable 
display of a procedure further comprises the step of providing data for enabling display of 
one or more steps of a procedure. 
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2 1 . (Original) The method of Claim 1 , further comprising the steps of: 

providing data to enable display of a response procedure; 
executing the response procedure; and 

in response to executing the response procedure, recording executed 
response procedure information and results of the executed response procedure with at 
least one of a date and time stamp. 

22. (Original) The method of Claim 1, further comprising the steps of: 

providing data to enable display of an investigation procedure; 
executing the investigation procedure; and 

in response to executing the investigation procedure, recording executed 
investigation procedure information and results of the executed investigation procedure 
with at least one of a date and time stamp. 

23. (Original) The method of Claim 21, wherein the step of providing data to 
enable display of the response procedure further comprises the step of providing data to 
enable display of one or more steps of the response procedure. 

24. (Original) The method of Claim 1, further comprising the step of providing 
data to enable display of results of the executed procedure. 

25. (Original) The method of Claim 23, further comprising the step of providing 
data to enable display of results of the executed procedure. 

26. (Original) The method of Claim 1, further comprising the steps of: 

identifying an appropriate computer to execute a step in the investigation 

procedure; and 

identifying an appropriate computer to execute a step in the response 

procedure. 
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27. (Original) The method of Claim 26, further comprising the steps of: 

accessing a table comprising computet locations and step information; 
comparing a step to be executed with computer locations listed in the 

table; 

determining a match exists between the step to be executed and the 
computer locations; and 

if one or more matches exist, displaying the matching information or 
automatically selecting an appropriate location. 

28. (Currently Amended) The method of Claim 27, wherein the table further 
comprises Internet address ranges, the method further comprising the step of comparing 
an Internet address of a source of a computer security incident with the Internet address 
ranges of the table. 

29. (Original) The method of Claim 27, further comprising the step of providing 
data to enable display of an appropriate substitute computer location if a match does not 
exist. 

30. (Currently Amended) The method of Claim 27, further comprising the step 
of identifying an appropriate computer to execute a step in either an investigation or a 
response procedure, wherein the computer is strategically located relative to a source of a 
computer security incident. 

31. (Original) The method of Claim 1, wherein each procedure comprises one or 
more steps, the method further comprising the step of executing one or more program 
modules in response to a selection of a procedure. 

32. (Original) The method of Claim 31, wherein the one or more program 
modules comprise one or more software application programs that can operate as stand 
alone programs. 



08 
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33. (Original) The method of Claim 31, wherein at least one program module 
comprises an off-the-shelf software application program. 

34. (Currently Amended) The method of Claim 1 , wherein the computer security 
incident information comprises predefined attributes. 

35. (Original) The method of Claim 34, wherein the predefined attributes 
comprise any one of a computer incident severity level, a computer incident category, a 
computer incident scope value, a computer incident status value, an attacker internet 
protocol (IP) address value, an attacker ISP name, an attacker country, an external 
attacker status value, an incident type vale, a vulnerabilities level, an entry point value, an 
attack profile value, a target networks value, a target firewalls value, a target hosts value, 
a target services value, a target accounts value, and a damage type value. 

36. (Currently Amended) The method of Claim 1 , wherein the computer security 
incident information comprises attributes that are at least one of viable and computer- 
generated. 

37. (Currently Amended) The method of Claim 35, further comprising the step 
of determining whether a computer security incident comprises an actual breach in 
security based upon value of its attributes. 

38. (Original) The method of Claim 1 , further comprising the steps of: 

receiving a selection for a step of a procedure; and 

generating a pre-execution warning prior to the selection of a step. 

39. (Original) The method of Claim 1, further comprising the steps of: 

receiving a selection for a step of a procedure; 
executing the selected step; and 

suggesting an appropriate subsequent step in the procedure. 
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40. (Currently Amended) The method of Claim 1, wherein each step is 
performed automatically in response to a detected computer computer security incident, 

41. (Original) The method of Claim 1 , further comprising the steps of: 

providing data to enable display of a plurality of computer tools in a non- 
procedural manner, 

receiving a selection for a computer tool; and 
executing the selected computer tool 



[The Remainder of this Page has been intentionally left blank.] 
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42. (Currently Amended) A method for organizing and recording reactions to 
one or more computer security incidents, comprising the steps of: 

providing data to enable display of one or more computer security 
investigation procedures for investigating one of suspicious computer activity that occurs 
prior to a computer security threat and an actual computer security threat; 

providing data to enable display of one or more computer security 
response procedures for, responding to one of suspicious computer activity that occurs 
prior to a computer security threat and an actual computer security threat: 

in response to a selection of a computer security investigation procedure, 
providing data to enable display of one or more corresponding investigation steps; 

in response to a selection of a computer security response procedure, 
providing data to enable display of one or more corresponding response steps; and 

generating a permanent record comprising computer security incident 
information, executed investigation step and result information, executed response step 
and result information, and corresponding date and time stamps, 

43- (Original) The method of Claim 42, further comprising the step of recording 
executed investigation step information and results of the executed investigation step with 
at least one of a date and time stamp in response to a selection of a step of an 
investigation procedure. 

44. (Original) The method of Claim 42, further comprising the step of recording 
executed response step information and results of the executed response step with at least 
one of a date and time stamp in response to a selection of a step of a response procedure. 

45. (Original) The method of Claim 42, further comprising the steps of: 

providing data to enable display of a plurality of procedures; 

in response to receiving a selection of a procedure, displaying a plurality 

of steps; 

obtaining modification information for the selected procedure; and 
storing the modification information. 
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46. (Original) The method of Claim 42, further comprising the step of at least 
one of adding or deleting a step in a procedure, 

47. (Original) The method of Claim 42, further comprising the steps of: 

providing data to enable display of a plurality of steps of a procedure; 
in response to selection of a step, providing data to enable display of 
detailed information fields related to the selected step; 

obtaining modification information for the selected step; and 
storing the modification information. 

48. (Original) The method of Claim 42, further comprising the step of at least 
one of adding, deleting, or modifying a step in a procedure. 

49. (Original) The method of Claim 42, further comprising the steps of: 

obtaining computer security incident search information; and 
providing data to enable display of one or more computer security 
incidents matching the computer security incident search information. 

50. (Original) The method of Claim 42, further comprising the steps of: 

tracking multiple computer security incidents; and 

storing information for each computer security in accordance with at least 
one of date and time stamp, 
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51. (Currently Amended) A method for selecting a computer that is strategically 
located relative to a source of a computer security incident, comprising the steps of: 

accessing a table comprising computer locations, Internet address ranges, 
and computer security step information for one of investigating and responding to one of 
suspicious computer activity that occurs prior to a computer security threat and an actual 
computer security threat : 

comparing a computer security step to be executed and a target Internet 
address with computer locations and Internet address ranges listed in the table; 

determining if a match exists between an Internet address of a computer 
security incident and the Internet address ranges listed in the table; and 

selecting a computer to execute the computer security step based upon the 
matching steps, wherein the computer has a location and is capable of interacting with the 
Internet address of the computer security incident 

52. (Original) The method of Claim 51, further comprising the step of: 

if one or more matches exist, providing data to enable display of the 
matching information; 

if a match does not exist, providing data to enable display of one or more 
appropriate substitute computer locations or automatically selecting an appropriate 
location. 

53. (Currently Amended) The method of Claim 51, wherein the security step 
comprises a portion of a security response procedure, wherein the computer is 
strategically located relative to a source of a computer security incident. 

54. (Currently Amended) The method of Claim 51, wherein the step comprises a 
portion of a security investigation procedure, wherein the computer is strategically 
located relative to a source of a computer security incident. 

55. (Original) The method of Claim 51, wherein each step to be executed in a 
security procedure comprises one or more off-the-shelf security application programs. 
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56. (Currently Amended) A method for generating a permanent record of one of 
more computer security incidents and reactions thereto, comprising the steps of: 

receiving com puter security incident information indicating one of 
suspicious computer activity that occurs prior to a computer security threat and an actual 
computer security threat- 

displaying one or more tools for one of investigating and responding to 
computer security incident information : 

receiving a selection of a tool; 

in response to a selection of a tool, forwarding data for execution of the 

tool; and 

forwarding data for generating a permanent record comprising computer 
security incident information, executed tool information, and corresponding date and time 
stamps. 

57. (Original) The method of Claim 56, further comprising the step of displaying 
the tools as icons on a computer display. 

58. (Original) The method of Claim 56, further comprising the step of displaying 
a plurality of tools that are selectable from a menu, 

59. (Original) The method of Claim 3 1 , further comprising the step of installing 
the one or more program modules within a single program on a server. 

60. (Original) The method of Claim 31, further comprising the step of installing 
the one or more program modules on a single server. 

61. (Original) The method of Claim 31, further comprising the step of installing 
the one or more program modules on a computer that is a target of a computer incident. 
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62. (Original) The method of Claim 31, further comprising the step of installing 
the one or more computer modules on both a computer that is a target of a computer 
incident and a server* 

63. (Original) The method of Claim 27, wherein the table further comprises 
Internet address ranges, the method further comprising the step of comparing an Internet 
address of a computer subject to an attack or security breach with the Internet address 
ranges of the table. 

64. (Currently Amended) The method of Claim 27, wherein the table further 
comprises Internet address ranges, the method further comprising the step of comparing 
Internet address of a witness to a computer security incident with the Internet address 
ranges of the table. 

65. (Currently Amended) The method of Claim 27, wherein the table further 
comprises Internet address ranges, the method further comprising the step of comparing 
an Internet address of an accomplice to a computer security incident with the Internet 
address ranges of the table. 

[The Remainder of this Page has been intentionally left blank.] 
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